Details are still sketchy, but it looks as though millions of TalkTalk customers have been thoroughly compromised. If early reports are to believed, there were some pretty basic failures, including lack of encryption and retention of sensitive data in the same location as everything else.
Could we have predicted something like this happening? Yes.
Is this an IT failure? Well, yes, but more importantly it’s a corporate governance failure. The chief executive has admitted that ‘in retrospect’ their IT security was inadequate. In this case hindsight really is 20:20 vision.
The question, of course, is how often was she told it was inadequate before the event? Did her Board even ask the question? Did anyone answer the question?
What can we learn from this latest debâcle?
Firstly, that even in V3, PCI-DSS isn’t doing the job. Target was compliant (with V2); This makes the (possibly erroneous) assumption that TalkTalk were compliant as well. Did the Board take this as sufficient proof of security?
Secondly, that the present legal regime is inadequate. The cost of these breaches falls disproportionately on the consumer, and there is neither a legal duty to disclose promptly, nor a requirement to offer proper assistance to those affected. The penalties – corporate and personal – for this kind of incompetence are simply inadequate.
Would you be happy if your house key was the same as your car key?
Thirdly that consumers remain ignorant. Not only do they continue to choose services on price, not on security, they also refuse to listen when it comes to basic self-protection. There was an illuminating comment from a consumer in an article in the Times saying ‘like every other person in the country you go with an account password that’s easy to remember and use it for lots of different things’. Really? Would you be happy if your house key was the same as your car key?
So, what advice can we give?
If you’re a business that handles personal information, especially financial details, get serious about security today. Get a properly qualified consultant (CISSP or CISA) to do a full review, and if your non-exec hasn’t been asking searching questions about your preparedness, sack her and get one who will.
If you’re a consumer, stop using Password01 for everything. If you really can’t get your head around passphrases, then here’s a trick for you. Think of a word that’s not obviously connected to you but easy to remember, like ‘chestnut’. Write it using a capital first letter and number substitutions, so that websites that require "so-called" complex passwords will be happy, and add a special character afterwards. So now we have ‘Ch35tnut!’. This is not your password. This is your ‘salt’. To come up with your password for a specific website, you start with your salt and add the name of the website, or an abbreviation of it that you compose consistently, or the name of the service. So for TalkTalk your password is Ch35tnut!talktalk – or Ch35tnut!broadband – for Virgin it would be Ch35tnut!virgin and so on. It’s not bomb-proof, but it does mean you generate a different password for every site and that the generated password is harder to crack. If you can remember the salt, then you can work out the password without needing to write it down.
Stop using Password01 for everything!
Two final things: if a website that needs any personal information imposes a limit on the length of your password that’s less than 16 characters, stop using that site. And when you sign up for a site, always request a password reminder immediately. If they send you an email with your original chosen password in it, in clear, stop using the site and demand that the site owner deletes your account immediately.
If that sounds refreshing, why not visit http://www.mn.co.uk/will-this-work-for-me to learn more, or call us on 020 7496 8000.